amphion forum: understanding android secuity
DESCRIPTION
This is the talk on Android Security presented at Amphion Forum, Washington D.C., June 27, 2012.TRANSCRIPT
Understanding Android Security
Pragati Ogal RaiMobile Technology Evangelist
X.commerce (an eBay Inc. Company)
Agenda
Why should I understand Android’s Security
Model?
Android platform security model
Android application security model
Android device security
Why should I understand Android’s Security Model?
Smart(er) Phones
Open Platform
Variety of devices
YOU control your phone
Android OS Architecture
http://developer.android.com/guide/basics/what-is-android.html
Linux Kernel
Distinct UID and GID for each application at install time
Sharing can occur through component interactions
Linux process sandbox
Linux Kernel (Cont’d)
include/linux/android_aid.h
AID_NET_BT 3002 Can create Bluetooth Sockets
AID_INET 3003 Can create IPv4 and IPv6 Sockets
Middleware
Dalvik VM is not a security boundary
No security manager
Permissions are enforced in OS and not in
VM
Bytecode verification for optimization
Native vs. Java code
Application Layer
Permissions restrict component interaction
Permission labels defined in AndroidManifest.xml
MAC enforced by Reference Monitor
PackageManager and ActivityManager enforce
permissions
Permission Protection Levels
Normal
android.permission.VIBRATE
com.android.alarm.permission.SET_ALARM
Dangerous
android.permission.SEND_SMS
android.permission.CALL_PHONE
Signature
android.permission.FORCE_STOP_PACKAGES
android.permission.INJECT_EVENTS
SignatureOrSystem
android.permission.ACCESS_USB
android.permission.SET_TIME
User Defined Permissions
Developers can define own permissions
<permission android:name="com.pragati.permission.ACCESS_DETAILS"android:label="@string/permlab_accessDetails"android:description="@string/permdesc_accessDetails"android:permissionGroup="android.permission-group.COST_MONEY"android:protectionLevel=“signature" />
Components
Activity: Define screens
Service: Background processing
Broadcast Receiver: Mailbox for messages from
other applications
Content Provider: Relational database for sharing
information
Instrumentation: Testing
All components are secured with permissions
Application Artifacts
Binder: Synchronous RPC mechanism
Intents: Asynchronous IPC
Pending Intents: Enforce caller’s application
permissions
Android Manifest.xml: Application’s policy file
Application Signature
Applications are self-signed; no CA required
Signature define persistence– Detect if the application has changed – Application update
Signatures define authorship– Establish trust between applications – Run in same Linux ID
Application Upgrade
Applications can register for auto-updates
Applications should have the same signature
No additional permissions should be added
Install location is preserved
System Packages
Come bundled with ROM
Have signatureOrSystem Permission
Cannot be uninstalled
/system/app
Device Security Features
No Default Access to Device Metadata
Extensible DRM Framework
External Storage (Android 2.2)
No Third Party SIM Card Access
Protected access to cost generating APIs
Full File System Encryption (Android 3.0)
Password Protection
Remote Device Administration (Android 2.2)
Memory Management Features
Summary
Linux process sandbox
Permission based component interaction
Permission labels defined in AndroidManifest.xml
Applications need to be signed
Signature define persistence and authorship
Install time security decisions